4.
What is Armory?
• Armory Bitcoin Wallet is a free, open-source
desktop application for securing Bitcoins yourself
– One of four such applications featured on bitcoin.org
• Known for “security at all costs”
– Sometimes “convenience” is one of those costs...
– Currently a tool tailored to advanced/power users
– Recently funded, will develop beginner's interface

40.
Do Not Reuse Addresses
• Risks:
– Bitcoin is actually not very good at anonymity
– When you reuse addresses you make it far worse
– Reusing addresses can hurt other users' privacy as well
• Mitigation:
– Bitcoin-Qt, Armory and Electrum do not reuse addresses by default
– Some users force reuse due to lack of understanding or simplicity of backups
– This is doing more harm than good in Armory & Electrum
– Multibit & Android Bitcoin Wallet reuse addresses by default
– Usually have an option to explicitly create new addresses, but not default
If you are using Bitcoin-Qt, Multibit or Android
Bitcoin Wallet, you may want to reuse addresses
anyway if you do not create backups regularly.
(lack of privacy is usually preferred to losing coins)

41.
Address Reuse & Privacy
• Discussion:
– Address reuse is mostly a privacy issue, not a security issue
– Reusing the same public-private keypair is expected & safe
throughout the rest of internet security
– But it is egregiously bad for privacy in Bitcoin
Users do not realize just how much privacy
information is leaked by interacting with
heavily-reused addresses!
• There are contexts in which it is okay, but not
standard
– Donation addresses: all users donating know it is heavily
reused, and accept being linked to it

42.
Address Reuse & Privacy
• If you are using Armory or Electrum, you have no
excuse for reusing addresses!
– Both automatically generate new addresses for all
operations – you have to go out of your way to reuse
– Both produce backups that work forever
• No matter how many new addresses you use, a
backup made when the wallet was created will
always work!

43.
What are Confirmations?
• Bitcoin transactions are not instantaneous
• Each confirmation is increased consensus that the
transaction actually happened
– The first confirmation is the most important
– Six confirmations is generally considered irreversible
– For $1,000,000+, wait 20-30 confirmations
• Confirmations come
on average every 10
minutes
– Actually exponential
random: usually
30 sec to 45 min

44.
Confirmation Risks
• Do not trust zero-confirmation transactions unless
there is pre-existing trust!
– Or, you're willing to eat the loss when reversed
• Attacks on zero-confirmation tx are easy and cheap
– Just not that many people doing it right now
• Attacks on one-
confirmation tx
require a bit more
resources
• But they are
possible!

45.
Call-to-Verify Addresses
• If you are sending large amounts of Bitcoin:
– You want to make sure you send it to the right place!
– An attacker could replace the correct address with his
own on its way to your wallet software
• This is a serious security issue!
– The “payment protocol” hopes to solve this by using SSL
concepts to prevent address tampering
– This will not work in all environments (not everyone has
an SSL certificate)
• Pick up the phone and call the other parties
– Make sure they are who you think they are!
– Manually verify the address before execution
– This is much more reliable with an offline computer

47.
Hot vs. Cold
“Hot” Wallet
– The private keys are on an
internet-attached system
– All wallets are “hot” by
default
“Cold” wallet (“offline wallet”)
– Gold standard of security
– Private keys created and never
leave the offline computer
– Transactions are signed offline

50.
Doing an Offline Transaction
• (1) Create transaction
– Same as you would with a
hot wallet
• (3) Load tx from USB
Online computer Offline computer
• (5) Sign the transaction,
save to USB
• (6) Load signed
transaction,
broadcast to
network
• (2) Save unsigned
transaction to USB
• (4) Review for accuracy!
– All benefit is lost if you don't
review on the clean, offline
computer

51.
Splitting roles
• The watching-only
wallet is identical to a
regular wallet, but
cannot sign/spend
• An attacker getting the
online wallet is a
breach of privacy, not
security
Online computer Offline computer
• Offline computer cannot
display balances
• Remember, the offline
wallet is the signing
authority.
• The offline computer is a
pen with specially-
identifiable ink, for
writing and signing
checks
– The pen doesn't know or
care what it's signing –
it's up to you to verify
what you're signing

52.
Doing it Right
• If you are running any kind of online Bitcoin business,
offline-wallets are an invaluable tool
– Keep bulk of your funds in an offline computer
• You can even keep it in a safe-deposit box!
– All webservers and on-site computers should only use
watching-only wallets!
• Securely collect payments to the offline wallet
• Track your wallet balance
• Track and verify all payments/transactions
• No one who gains access to the server can steal it!
– Includes employees
If you need a hot wallet, keep it small,
periodically refill from the cold wallet

53.
Use Linux
• Once you go down the “cold storage” path you are
implementing serious security
• As of this writing, the best way to move data
between online & offline computer is USB drives
– Linux has a much better history of resisting USB-
based attacks
– We are working on better methods for secure transfer
• Armory website has Ubuntu “Offline Bundles”
– Will install and run on the first boot of a fresh install
of Ubuntu 10.04 or 12.04
– The offline computer needs no other software at all!

54.
Extra Credit
• Dedicate a small USB key for offline transactions
– Minimize exposure to potential viruses
• Dedicate a computer for the creating transactions
– Minimize exposure to potential viruses
– Make it exclusive for Bitcoin processing
• Use full-disk encryption to protect privacy
– Without it, someone not authorized can still see the
wallet value and transaction history
– Also adds an extra layer of security
Did I mention, make unencrypted backups?

56.
Multi-Signature Transactions
• Most coins have a simple unlock condition:
– Here's a public key, sign with its private key to move
• Much more complex conditions are possible:
– Here's 3 public keys, sign with any 2 private keys
– This is a 2-of-3 multi-signature transaction

57.
A Critical Puzzle Piece
• Multi-signature transactions are
critical for large organizations
– Wallets are managed by employees,
who may steal
– All wallets currently have a single
point of failure
• You can have:
– Five board members of a
company create wallets
– All money handled by the
company goes into 3-of-5
– All transactions requires 3
signatures to be moved
• The Bitcoin network supports any M-of-N up
to 20-of-20 !

58.
Armory “Lockboxes”
• Armory just unveiled a multi-sig interface
– Collect public keys to create lockboxes
– Deposit money in lockboxes like any other address
– To spend from a lockbox:
• Create a transaction
• Each other party signs it
• Last party broadcasts it (finalizes it)
• Multi-sig transactions are inherently complex!
– Armory has made them about as easy as possible...
– ...just like it did with cold storage!

61.
Armory “Lockboxes”
• The lockbox interface is the first step towards a
more user-friendly version
– Decentralized: no third-party services
– All data can be exchanged via email, chat, USB
• Armory (and others) will create server-assisted
version that handles most complexity for you
– Create a spending transaction from a 2-of-2
– Other party or device gets notification, confirms

63.
Hardware Wallets
• The Trezor is the most anticipated HW wallet
• Should be released in January, 2014
• A great tradeoff for security
and convenience
• Hardware wallets hold the
private keys and sign on
the device
– The private keys cannot be
read from it
– It will only emit the public
keys
Trezor Hardware Wallet

64.
Hardware Wallets
• The wallets they use are standardized
– Should be supported by all major wallet apps
• Will be a huge win for convenience & security
• Hardware wallets are an 80%
solution
– They lack flexibility
– Another layer of trust required
– More difficult to audit
– Connect directly to online
computer via USB

70.
Multi-Sig vs. Fragmenting
M-of-N Backups M-of-N Multi-Sig
Fragmented backups are for
securing your backup
All transactions still require a
single signature, from a
single computer
The fragments only need to
be collected if wallet is lost
Multi-signature transactions
are network-enforced
Multiple public keys are
included in the unlock
conditions of the coins
Network expects multiple sigs
for every transaction

71.
Brainwallets (don't use them!)
• Humans are really bad at memorizing things
• You will lose coins
• Your family will never recover your coins if you die
– You literally take your wealth with you to your grave
• Any system that requires your brain to be useful
is essentially a brainwallet
• This is why Armory hates encrypted backups:
– If all your wallets are encrypted
– And all your backups are encrypted
– You have a brainwallet!

72.
Segregate Funds by Security
• Risks:
– Having all your funds in a single wallet, means all funds
have the same security
– Usually means funds are super-secure-but-inconvenient, or
not properly secured
• Mitigation:
– Use multiple wallets (Armory & Multibit have native support)
– Exercise all the best practices on the majority of your funds
– Keeps most of your funds secured, periodically refill low-
security wallets

73.
Sweep vs. Import
• Definitions:
– “Sweeping” an address/key means sending all the coins owned by
that key to a new address (one you control)
– “Importing” an address means to add the private key to your
wallet – usually so it can be reused
• When to sweep vs import
– Sweep if anyone else has ever had access to the private key
– Importing really only makes sense with address reuse
• I already told you not to do that!
When in doubt, SWEEP
• Serious Security to consider
– You import a key that someone else has
– That person pays you for services/goods
– They sweep the key after you have delivered